From: bugzilla-daemon@bugzilla.kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 210695] error: kvm run failed Invalid argument
Date: Wed, 16 Dec 2020 20:49:49 +0000 [thread overview]
Message-ID: <bug-210695-28872-EwxlIyQfIA@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-210695-28872@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=210695
--- Comment #4 from Sean Christopherson (seanjc@google.com) ---
Aha! I haven't reproduce the bug (mostly because I'm pretty sure my guests
aren't doing emulated MMIO accesses with paging disabled), but I'm pretty sure
I know what's going on, and why -rc4 may have worked.
Your guest has paging disabled, in which case mmu->root_level will be '0' and
mmu->shadow_root_level will be '3'. If the shadow walk in get_walk() bails
without ever entering the loop (due to an invalid PAE root), the returned leaf
will be '0' because get_walk() uses mmu->root level instead of mmu->shadow_root
level. In get_mmio_spte(), this causes the check for reserved bits to check
uninitialized/stale stack memory and return a bogus SPTE.
Pre rc6, both get_mmio_spte() and get_walk() used the bad mmu->root_level,
which meant that the reserved bits check would get skipped in the above
scenario. But, get_mmio_spte() would still return a stale/bogus SPTE, so it's
not at all surprising that things failed. Actually, it's surprising that any
5.10-rc* work. Best guess is that there is a mostly unrelated change that
cause things to work by sheer dumb luck.
In rc6, the get_mmio_spte() half of the bug was fixed by commit 9a2a0d3ca163
("kvm: x86/mmu: Fix get_mmio_spte() on CPUs supporting 5-level PT"). This
cause get_mmio_spte() to resume the reserved bits check, which all but
guaranteed an explosion, i.e. ensured a 100% failure rate on your end.
TL;DR: Can you try this patch? I'll also try to reproduce the original bug on
my end now that I have a smoking gun.
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 7a6ae9e90bd7..6880119840c1 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -3488,7 +3488,7 @@ static bool mmio_info_in_cache(struct kvm_vcpu *vcpu, u64
addr, bool direct)
static int get_walk(struct kvm_vcpu *vcpu, u64 addr, u64 *sptes)
{
struct kvm_shadow_walk_iterator iterator;
- int leaf = vcpu->arch.mmu->root_level;
+ int leaf = vcpu->arch.mmu->shadow_root_level;
u64 spte;
--
You are receiving this mail because:
You are watching the assignee of the bug.
next prev parent reply other threads:[~2020-12-16 20:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-15 0:11 [Bug 210695] New: error: kvm run failed Invalid argument bugzilla-daemon
2020-12-15 0:13 ` [Bug 210695] " bugzilla-daemon
2020-12-16 2:03 ` bugzilla-daemon
2020-12-16 2:28 ` bugzilla-daemon
2020-12-16 2:57 ` bugzilla-daemon
2020-12-16 20:49 ` bugzilla-daemon [this message]
2020-12-16 23:08 ` bugzilla-daemon
2020-12-16 23:14 ` bugzilla-daemon
2020-12-17 19:54 ` bugzilla-daemon
2020-12-18 3:10 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-210695-28872-EwxlIyQfIA@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.